Include certificate expiry check in all kubernetes commands (#899)

* Include certificate expiry check in all kubernetes commands

Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>

* Using PostRun from Cobra and fixing review comments

Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>

* Modifying logging for error on certificate check

Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>

* Fixing review comments

Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>

* Fixing string messages

Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>
This commit is contained in:
Pravin Pushkar 2022-02-25 13:43:08 +05:30 committed by GitHub
parent 5a8c3314ce
commit 34353a27e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 63 additions and 4 deletions

View File

@ -39,6 +39,9 @@ var ComponentsCmd = &cobra.Command{
}
}
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
Example: `
# List Kubernetes components
dapr components -k

View File

@ -39,6 +39,9 @@ var ConfigurationsCmd = &cobra.Command{
}
}
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
Example: `
# List Kubernetes Dapr configurations
dapr configurations -k

View File

@ -181,6 +181,11 @@ dapr dashboard -k -p 9999
}
}
},
PostRun: func(cmd *cobra.Command, args []string) {
if kubernetesMode {
kubernetes.CheckForCertExpiry()
}
},
}
func init() {

View File

@ -87,6 +87,11 @@ dapr list -k
outputList(list, len(list))
}
},
PostRun: func(cmd *cobra.Command, args []string) {
if kubernetesMode {
kubernetes.CheckForCertExpiry()
}
},
}
func init() {

View File

@ -44,6 +44,9 @@ dapr logs -k --app-id sample --pod-name target --namespace custom
}
print.SuccessStatusEvent(os.Stdout, "Fetched logs")
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
}
func init() {

View File

@ -47,6 +47,9 @@ dapr mtls -k
}
fmt.Printf("Mutual TLS is %s in your Kubernetes cluster \n", status)
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
}
var ExportCMD = &cobra.Command{
@ -60,12 +63,15 @@ dapr mtls export -o ./certs
err := kubernetes.ExportTrustChain(exportPath)
if err != nil {
print.FailureStatusEvent(os.Stderr, fmt.Sprintf("error exporting trust chain certs: %s", err))
return
os.Exit(1)
}
dir, _ := filepath.Abs(exportPath)
print.SuccessStatusEvent(os.Stdout, fmt.Sprintf("Trust certs successfully exported to %s", dir))
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
}
var ExpiryCMD = &cobra.Command{

View File

@ -54,6 +54,9 @@ dapr status -k
utils.PrintTable(table)
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
}
func init() {

View File

@ -45,6 +45,9 @@ dapr upgrade -k
}
print.SuccessStatusEvent(os.Stdout, "Dapr control plane successfully upgraded to version %s. Make sure your deployments are restarted to pick up the latest sidecar version.", upgradeRuntimeVersion)
},
PostRun: func(cmd *cobra.Command, args []string) {
kubernetes.CheckForCertExpiry()
},
}
func init() {

View File

@ -28,12 +28,14 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/dapr/cli/pkg/print"
"github.com/dapr/dapr/pkg/apis/configuration/v1alpha1"
)
const (
systemConfigName = "daprsystem"
trustBundleSecretName = "dapr-trust-bundle" // nolint:gosec
systemConfigName = "daprsystem"
trustBundleSecretName = "dapr-trust-bundle" // nolint:gosec
warningDaysForCertExpiry = 30 // in days
)
func IsMTLSEnabled() (bool, error) {
@ -107,6 +109,32 @@ func ExportTrustChain(outputDir string) error {
return nil
}
// Check and warn if cert expiry is less than `warningDaysForCertExpiry` days.
func CheckForCertExpiry() {
expiry, err := Expiry()
// The intent is to warn for certificate expiry, only when it can be fetched.
// Do not show any kind of errors with normal command flow.
if err != nil {
return
}
daysRemaining := int(expiry.Sub(time.Now().UTC()).Hours() / 24)
if daysRemaining < warningDaysForCertExpiry {
warningMessage := ""
switch {
case daysRemaining == 0:
warningMessage = "Dapr root certificate of your Kubernetes cluster expires today."
case daysRemaining < 0:
warningMessage = "Dapr root certificate of your Kubernetes cluster has expired."
default:
warningMessage = fmt.Sprintf("Dapr root certificate of your Kubernetes cluster expires in %v days.", daysRemaining)
}
helpMessage := "Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions."
print.WarningStatusEvent(os.Stdout,
fmt.Sprintf("%s Expiry date: %s. \n %s", warningMessage, expiry.Format(time.RFC1123), helpMessage))
}
}
func getTrustChainSecret() (*corev1.Secret, error) {
_, client, err := GetKubeConfigClient()
if err != nil {

View File

@ -490,7 +490,7 @@ func uninstallTest(all bool) func(t *testing.T) {
go waitPodDeletion(t, done, podsDeleted)
select {
case <-podsDeleted:
t.Log("pods were delted as expected on uninstall")
t.Log("pods were deleted as expected on uninstall")
return
case <-time.After(2 * time.Minute):
done <- struct{}{}